A self-contained MikroTik bandwidth monitor. One Python script — no separate web server, no database engine, no JavaScript framework required.
It collects per-second RX/TX measurements from a MikroTik router via the RouterOS API, stores them in a local RRD file, and serves an interactive graph UI from its own built-in web server.
- Collects one bandwidth sample per second via the RouterOS API
- Stores data at four resolutions covering up to 10 years (see Data retention)
- Serves a dark-themed web UI with interactive graphs directly from the script
- Live RX/TX readout in the page header with a connection health indicator
- Drag to zoom into any time window; preset ranges from 5 minutes to 5 years
- Area, line, and mirror RX/TX graph styles
- Optional volume display in the graph legend (see note on volume below)
- Auto-refresh at 5 / 30 / 60 second intervals, advancing the window as time passes
- Copy graph link and copy rrdtool command-line buttons
- Can run as collector only, web server only, or both — on the same or separate machines
- Setup wizard runs in the terminal; skips router credentials if the collector is disabled
- Config file is watched at runtime — changes apply within 30 seconds without a restart
- IP access control: allow-list of IPs, CIDR ranges, or hostnames (HTTP 403 for others)
Dependencies (Ubuntu install methods shown; equivalent packages exist for other distributions — last resort could be pip)
- Python 3.8+ — system package
- librouteros —
sudo apt install python3-librouteros - python3-rrdtool —
sudo apt install python3-rrdtool - rrdtool binary —
sudo apt install rrdtool
The script uses only the Python standard library beyond those packages.
git clone https://github.com/bitflogger/mt-trafmon.git
cd mt-trafmon
chmod +x mt-trafmon.py
sudo apt install rrdtool python3-rrdtool python3-librouteros
./mt-trafmon.pyThe setup wizard runs automatically on first launch. It asks for your router
address, API credentials, the path for the RRD data file, and web server
options. When it finishes, the collector and web server start immediately.
Open http://<host>:8080 in a browser.
The wizard runs in the terminal and asks:
- Enable collector? (if no, router credential questions are skipped)
- Router IP, username, password, WAN interface name
- RRD data file path (default: next to the script)
- Enable web server, port, page title, allowed IPs/networks
On save, the connection to the router is tested. You can choose to save and continue even if the test fails (useful if the router is temporarily unreachable).
When running as a systemd service (no terminal), complete setup interactively
first with ./mt-trafmon.py -s, then copy the resulting mt-trafmon.ini to
the service location.
After first-run setup, mt-trafmon.ini is created next to the script.
You can edit it directly while the script is running — changes are detected
and applied within 30 seconds without a restart.
[router]
host = 192.168.88.1
user = admin
password = xor:... ; machine-encrypted — do not edit manually
password_plain = ; plain-text override (see below)
interface = ether1
[storage]
rrd_file = /opt/mt-trafmon/traffic.rrd
[collector]
enabled = true ; false = web/graph server only (no router connection)
[web]
enabled = true ; false = collector only (no web UI)
port = 8080
page_title = MikroTik Traffic Monitor
allow = 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
dark_graph = true ; false = white graph background (classic rrdtool look)password_plain — if you move the script to a different machine, the
machine-encrypted password field will not decrypt correctly. Set
password_plain = yourpassword in the ini, restart, and the script will
re-encrypt it for the new machine and remove the plain-text entry on the
next save.
allow — comma-separated list of IPv4/IPv6 addresses, CIDR ranges
(e.g. 192.168.0.0/16), or hostnames. Requests from any address not on the
list receive HTTP 403. Dual-stack IPv4-mapped IPv6 addresses are handled
automatically.
-s/--setup— re-run the setup wizard (rewrites the ini on save)-w/--no-web— disable the web server at runtime (overrides ini)-c/--no-collect— disable the collector at runtime (overrides ini)-q/--quiet— suppress per-sample log output (recommended with systemd)-v/--version— print version and exit
-w and -c are runtime overrides and do not modify the ini file.
The collector and web server are independent. You can run one on the machine closest to the router and the other wherever you want to view graphs, as long as both can access the same RRD file (e.g. via NFS or a shared path).
# Machine A: collect only, no web UI
./mt-trafmon.py -c
# Machine B: serve graphs from the shared RRD file, no collection
./mt-trafmon.py -w# /etc/systemd/system/mt-trafmon.service
[Unit]
Description=MikroTik Traffic Monitor
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/opt/mt-trafmon/mt-trafmon.py -q
Restart=always
RestartSec=30
User=mt-trafmon
[Install]
WantedBy=multi-user.targetsudo useradd -r -s /sbin/nologin mt-trafmon
sudo mkdir /opt/mt-trafmon
sudo cp mt-trafmon.py /opt/mt-trafmon/
# Run setup interactively first, then copy the resulting ini
./mt-trafmon.py -s
sudo cp mt-trafmon.ini /opt/mt-trafmon/
sudo chown mt-trafmon: /opt/mt-trafmon/mt-trafmon.ini
sudo chmod 600 /opt/mt-trafmon/mt-trafmon.ini
sudo systemctl daemon-reload
sudo systemctl enable --now mt-trafmonThe RRD file is pre-allocated at creation and does not grow afterwards.
Resolution Retention Used for
---------- --------- --------
1 second 1 year short-range zoomed views
10 seconds 5 years medium-range views
1 minute 5 years day / week / month views (avg + max)
5 minutes 10 years multi-year views (avg + max)
Total file size: approximately 835 MB.
The file is created automatically at the path specified by rrd_file. The
directory must exist and be writable by the user running the script.
When the Volume option is enabled, the graph legend shows the total data transferred (RX and TX separately) for the visible time window.
Two things to be aware of:
It is an approximation. Volume is calculated by integrating the average rate over time — not from actual byte counters on the router. For typical home or office traffic patterns the result is close, but it will differ from the router's own traffic accounting, particularly over very short windows or when traffic is highly bursty.
It is slow on long windows. Generating the volume figure requires fetching and summing every data point in the RRD for the visible range. On a mid-range machine (Intel i5-7400) a 5-year graph with volume enabled takes around 5 seconds; the same graph without volume takes under half a second. For day-to-day monitoring of recent traffic, volume is fast. For long-range historical views, consider disabling it.
The Volume checkbox is in the controls bar. Its state is preserved in the URL, so bookmarks and the Copy Link button capture your preference.
Using the admin account works, but a dedicated read-only user is safer:
/user/group/add name=trafmon policy=read,api
/user/add name=trafmon group=trafmon password=yourpassword
The script only calls /interface/monitor-traffic — no write access is needed.
- No HTTPS. The built-in web server is plain HTTP. If you expose the UI beyond the local network, put a reverse proxy with TLS in front (nginx, Caddy).
- Access control defaults to private networks only. The
allowsetting covers loopback and RFC 1918 ranges by default. Do not set it to0.0.0.0/0without a firewall in front. - Protect the config file. The ini contains your router password in
obfuscated form. Keep it readable only by the service user:
chmod 600 mt-trafmon.ini.
- 0.0.1 — initial release
- 0.0.2 — Added RADME.md and minor fixes